Windows Event Source Custom Channels

To configure a Local or Remote Windows Event Source, you must identify the channels to collect from. This page explains how to obtain this list of channel names from your systems, and describes channels which the Sumo Logic collector cannot process.

Obtaining channel names

To find the available event channels for collection, execute the following PowerShell commands from an administrator PowerShell prompt. Then copy and paste the channel names into Source's Custom Events Channels text box.

Enter the following command into PowerShell:

# to see channels listed in the standard order
Get-WinEvent -ListLog *
# to sort more active channels to the top of the list
Get-WinEvent -ListLog * | sort RecordCount -Descending
# to see channels present on a remote computer
Get-WinEvent -ListLog * -ComputerName <hostname>

The output will include a list of channels, along with the number of event records currently in those channels:

In the output, the LogName column contains the channel names to enter, comma-separated, into the Source's Custom Events Channels text box. You do not need to reenter the names of the standard Application, System, or Security logs, which are already selectable via check boxes.

For example, to collect events from the top 5 most active channels shown above, select the Application and Security check boxes, then enter the following string into the text box:

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.